Imagine you are an Army General. And you have been given responsibility to defend a town that is the key to the local road network. You have a specific set of units under your command and several days to prepare to defend before the enemy is expected to attack. How are you going to go about setting up your defenses? Could you successfully defend without understanding the routes the enemy will use and what capabilities the enemy will have in addition to the knowing their objective?
Let’s try a thought experiment involving two different generals, each with the same resources and facing the same military problem described above. One is a by the book, well trained and thoughtful guy. The other is a dynamic, adaptive character who tries to get in his enemy’s head and understand how they fight and attack. Let’s compare General 1 and General 2 as they set up their defense.
General 1 knows the enemy’s objective and goes about setting up his defenses. He prepares to defend against the enemy by placing equal amounts of military resources and early detection systems along the entire perimeter around the town. He ran down a checklist and made sure that each observation post was equipped with binoculars and a radio and each defensive position had four rifleman, two anti-tank missiles and a machine-gun. He divided his resources equally to give as much strength as possible everywhere. When the enemy breaches his perimeter, once he is aware, he will plan to personally rush to the breach with his headquarters staff, determine what the enemy’s objective is and personally defend it, while calling back to headquarters for a bunch of rear area MPs to come help defeat the enemy.
General 2, in this thought experiment, goes out and walks the battlefield, views it from where the enemy may attack and identifies attack routes, observation points, etc. He gets briefed by his intelligence team about what capabilities the enemy are likely to have, how much strength is expected, and which routes were most likely to be used by them. And then, based on his best understanding of the enemy and their capabilities and how to attack a defended town, General 2 places the majority of his observation and defensive capabilities along the most likely attack routes. Perhaps he even made the less likely routes very difficult to impossible to use so that the enemy would come by the routes he preferred to defend. And he made sure and had scouts looking for attacks at all points on the perimeter, while keeping a reserve force for rapid response in case the enemy breached the perimeter?
Which of these approaches would be more successful? Which general is likely to win this defense? Which general has a much better chance of not getting fired if he doesn’t win the battle?
Today’s CISO, in my experience, is like General 1. But today’s CISO needs to be like the General 2. The CISO needs more than firewalls, IPS, A/V, hard drive encryption, etc. Even adding “Detect and Respond” to the mix isn’t enough. That’s just another checkmark on a list of things you have to have to defend your network. In other words, just more of the compliance paradigm.
The missing component here is the intelligence necessary to build a dynamic and proactive defense. The CISO needs to know where and how he is going to be attacked. He needs to know what routes lead to his critical assets and what routes don’t. Without Attack Intelligence, you’re only hope for defense is follow the compliance checklist, spread your defenses evenly along the perimeter, try to patch every vulnerability, spread your limited resources incredibly thin and hope nothing bad happens.
And what if General 2’s assessment of the capabilities is wrong? Now he’s in a worse position than General 1. Instead of basing your decisions on difficult to quantify and impossible to know things like your enemies capabilities, keep the focus on the routes to critical assets.
If the risk assessment community ever comes up with a methodology for determining the difficulty in an objective and verifiable way, then use those numbers as well. Until then, stay away from subjective numbers which can’t be quantified nor verified. It’s an unknown, and just accept that and plan accordingly.
I think that you are reading too much into the analogy. If a CISO knew the actual routes that could be used to access critical data, and defended those routes better, it would make a huge difference. That may not be the entirety of the “attack intelligence universe”, but it would certainly be a great start.
Pingback: What Is A Good Security Program? | Security, Cigars and FUD